Privacy Basics: A Quick HIPAA Check for Medical Device Companies

The Health Insurance Portability and Accountability Act (HIPAA) regulations have been widely discussed in the press and within the medical provider community. Doctors and hospitals have grown used to the regulations. However, within the medical device community there are still questions about how to interact with healthcare professionals from whom we wish to obtain information. This article consolidates the basic issues for medical device companies that need access to protected health information (PHI) held within medical institutions.

HIPAA

HIPAA, which was enacted in 1996, had many different goals, including making insurance transferable upon leaving employment, enabling electronic billing for medical costs, and, the most famous result, the authorization of federal privacy rules for health information. The Department of Health and Human Services (HHS) then made two regulations: the HIPAA privacy rule, which regulates private health information, and the HIPAA security rule, which regulates the manner in which healthcare providers control and protect health information.

Covered Entities

The organizations controlled by the HIPAA privacy regulation are called covered entities. A covered entity is any healthcare provider that electronically bills for its services. This covers almost all healthcare professionals. It also means that most medical device companies are not covered entities. However, some medical device firms that sell to patients and bill Medicare may qualify as covered entities and be bound by HIPAA. For example, a company that sells insulin pumps to patients and bills Medicare would be a covered entity. Some companies may have a subsidiary that is a covered entity while the rest of the company is not covered; such companies are called hybrids. The company can wall off the subsidiary, which is a covered entity, so that only that part of the company is bound by HIPAA.

Covered Information

HIPAA defines the covered information as PHI, which is any health-related information that may identify a patient. HIPAA takes an expansive view of what may identify a person. There is a list of 18 identifiers. Besides the traditional identifiers such as name, address, phone number, social security number, etc., there are some device-related identifiers, such as serial number or date of service when the device was used, that have proven quite to difficult to deidentify.

Almost any information from a patient file has to be carefully scrutinized to be sure it is not PHI. The definition is wider in the United States than it is in the European Union (EU), where more-traditional identifiers are used. Member nations of the EU are governed by the EU Directive on Data Privacy.

Disclosure of PHI

Authorization is the term used for a patient to allow some disclosure or use of PHI. HIPAA determines authorized uses of PHI by covered entities and what disclosures of PHI may be made. The HIPAA privacy regulation outlines when a covered entity must obtain authorization from the patient or approval from an institutional review board (IRB) or privacy board.

Note that the EU uses the term consent for this document while HIPAA uses authorization. For device companies, there may be an informed consent document created to comply with FDA clinical rules or the HHS Common Rule. This consent document may have a HIPAA authorization built into it, but the HIPAA authorization is not called a consent.

With several exceptions, a covered entity may use PHI within its organization without restriction by HIPAA. However, when it discloses information outside its boundaries, the covered entity must comply with the HIPAA privacy regulation's limitations and authorization requirements. The covered entity may disclose to third parties without authorization for three HIPAA-specified activities: treatment, payment, or healthcare operations (TPO).

Treatment. Treatment refers to communication of PHI needed to treat the patient, such as information flow between the covered entity and another healthcare provider, e.g., another doctor who is treating the patient. A general practitioner and a specialist may discuss their joint patient for the purpose of treatment without activating any authorization requirements under HIPAA. This treatment exception could involve a medical device company. For example, if a technical representative from a medical device company takes part in a surgery to help use or train surgeons on the company's equipment, that participation is part of treatment and does not require an authorization. Although it is wise to notify the patient before exposing his or her data or personal information to a company representative, there is no specific HIPAA requirement to do so under these circumstances.

Payment. Payment refers to the process of obtaining payment from payers such as insurance carriers. Although covered entities routinely ask for consent to disclose information to payers, and there may be consent requirements at the state level, there is no need for a HIPAA authorization for billing.

Healthcare Operations. The term healthcare operations refers to the internal mechanics of running the covered entity. PHI may be transmitted as part of normal business operations. For example, the covered entity may use PHI for internal quality assurance improvement practice.

Business Associates

Sometimes a covered entity receives assistance in performing activities that involve the use or disclosure of PHI under HIPAA. The person or entity providing the help is called a business associate. A covered entity may enter a business associate agreement (BAA) with another person or company that is providing services to the covered entity with regard to TPO. For example, the covered entity might outsource its billing department to a third party. In such a case, the covered entity would engage that biller with a BAA.

It is very unusual for a medical device company to need a BAA with any covered entity. In the early days of HIPAA, covered entities were wholesale shipping BAAs to everyone they purchased from. Since then, HHS has made it clear that the normal relationship between a medical device provider and a covered entity does not require a BAA.

It is only when a medical device company is acting on behalf of a covered entity that it needs a BAA. One narrow example is when a covered entity is prescreening patient records in preparation for research. It can do that without an authorization. However, if the covered entity allows a third party, such as a device company, onto its property to do such preliminary searching on the covered entity's behalf, it may then need a BAA to protect the PHI that the device company will access.

Access to PHI

There are a number of access points to PHI for a device company. Some information is necessary for the device company to have and some is thrust upon it. Common ways to be exposed to PHI include the following.

Treatment. As a device company, you have a role in treatment. For example, as previously discussed, a device company representative may attend the actual use of a device. Or, a doctor may call the OEM's technical services staff with questions about how a particular patient's anatomy or medical symptoms could affect the use of the company's device. Even though no name is given, the medical data may include HIPAA identifiers. Such treatment interactions between the medical device company and the covered entity are part of the treatment exception to HIPAA and therefore require no special authorization.

Accidental Exposure. A device company field representative may accidentally be exposed to PHI while at the site of a covered entity. For example, the representative might inadvertently see a patient chart while in a doctor's office. HIPAA calls this incidental disclosure. HIPAA allows such action without any repercussions under the regulation. Remember that PHI is still private and the company representative should not disclose what is accidentally seen to anyone else.

Clinical Trial or Other Research Information. There are three main routes for obtaining PHI from a covered entity for research: authorization, partial waiver from an IRB, or deidentification.

The most common way to obtain research data is through patient authorization. An authorization is built into the informed consent document in most medical device clinical trials. Once a company is in the process of having a patient sign a consent form, it is not much extra work to include the additional elements required for a HIPAA-compliant authorization. This method makes it possible to obtain wider access to use of the data. Most device companies want to harness the data to improve future generations of devices and not just the immediate use. Such usage can be accounted for in a signed authorization.

A partial waiver means asking an IRB to allow PHI of a limited nature to be disclosed without a patient's authorization. For example, the site could strip out all directly identifiable information such as names, addresses, etc. The remaining identifiers might technically identify the patient, but the IRB may determine that the risk is low and allow disclosure without patient authorization. However, this process has proven difficult in practice simply due to the bureaucracy that has to be managed; companies have found the IRB interface to be too slow and laborious to use often.

Deidentification requires removing all 18 identifiers from the PHI, which can be difficult for device research. For example, because device serial numbers are often needed to correlate to other records, they are a hard identifier to do without. Similarly, dates of visits are often needed to correlate to device performance over time. However, deidentification is still a viable option for some research.

Compliance with FDA Regulations. A specific section of the HIPAA privacy regulation allows a covered entity to disclose information to a device manufacturer in order for the manufacturer to report to a public health agency, such as FDA. This exception is crucial because it allows a covered entity to communicate with a manufacturer to follow up on a complaint, provide data for a medical device report, track devices, or use information needed for quality system regulation compliance.

PHI after Disclosure

Once outside a covered entity, HIPAA rules no longer apply to this information. In fact, this must be stated in every HIPAA authorization. However, there are myriad state laws that control PHI in different forms, and if the PHI is obtained under a BAA, there are contractual obligations as well. Therefore, a device company should only take PHI when needed and must safeguard it, i.e., only those who truly need access to PHI should be allowed to see it. Device companies must also establish procedures to prevent accidental disclosure.

Conclusion

HIPAA has definitely made research more difficult for device companies. Each time that a company considers accessing PHI, it needs a thorough HIPAA analysis. Initially, device companies feared that the public health exemption was not broad enough and that covered entities would resist releasing the necessary PHI. However, over time, covered entities have cooperated and have generally allowed access to PHI that device companies need for compliance with FDA regulations. Therefore, life is more difficult with HIPAA, but certainly not impossible.